Cyber Strategy
Cyber Secure
Cyber Operations
Cyber Response
Cyber ResilienceA critical zero-day vulnerability affecting on-premises Microsoft SharePoint Servers has been actively exploited by threat actors since July 2025. CVE-2025-53770, dubbed “ToolShell” by security researchers, enables unauthenticated remote code execution through a crafted POST request to SharePoint’s ToolPane endpoint. This vulnerability represents a significant security risk for organizations running on-premises SharePoint deployments, with multiple nation-state actors already incorporating the exploit into their attack campaigns.
Vulnerability Overview
Technical Details
CVE-2025-53770 builds on two prior vulnerabilities (CVE-2025-49706 + CVE-2025-49704) that were previously patched on July 8th, 2025. The vulnerability affects Microsoft SharePoint Server 2016, 2019, and Subscription Edition, allowing attackers to bypass authentication mechanisms through a sophisticated multi-stage attack chain.
The exploit works by sending a specially crafted HTTP POST request to the endpoint:
/_layouts/15/ToolPane.aspx?DisplayMode=Edit
The attack includes a forged Referer header pointing to /layouts/15/signout.aspx, which tricks SharePoint into skipping authentication and form digest validation. This fundamental flaw in SharePoint’s trusted internal workflow validation allows attackers to gain unauthorized access without providing any credentials.
CVSS Score and Classification
CVE-2025-53770 has been assigned a CVSS score of 9.8 (Critical), reflecting its severe impact potential. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing the urgent need for remediation across all affected organizations.
Attack Chain Methodology
The ToolShell exploit operates through three distinct phases:
Phase 1: Authentication Bypass Attackers exploit a logic flaw in SharePoint’s Referer header validation by sending a POST request with a forged Referer header, causing the server to treat the request as legitimate and process it under an unauthenticated context.
Phase 2: Web Shell Deployment Once inside the system, attackers deploy malicious ASPX files to the SharePoint layouts directory. These files, typically named spinstall0.aspx, are designed to extract cryptographic secrets including ValidationKey, DecryptionKey, and signing algorithms used by ASP.NET to validate __VIEWSTATE payloads.
Phase 3: Remote Code Execution With stolen cryptographic keys, attackers craft signed, malicious __VIEWSTATE tokens using tools like ysoserial.net. These payloads embed system commands and are sent to SharePoint pages via GET requests, leading to full remote code execution under the application pool identity (NT AUTHORITY\IUSR).
Active Exploitation in the Wild
Threat Actor Attribution
Microsoft has observed multiple Chinese nation-state actors exploiting these vulnerabilities, including Linen Typhoon, Violet Typhoon, and Storm-2603. Each group brings distinct tactics and objectives to their exploitation campaigns:
Linen Typhoon: Operating since 2012, this group focuses on intellectual property theft, particularly targeting government, defense, and strategic planning organizations.
Violet Typhoon: Active since 2015, specializes in espionage against former government personnel, NGOs, think tanks, and media organizations across the United States, Europe, and East Asia.
Storm-2603: A China-based threat actor with medium confidence attribution, previously associated with Warlock and Lockbit ransomware deployments.
Attack Clusters and Methodologies
SentinelOne researchers identified three distinct attack clusters, each demonstrating unique tradecraft and objectives:
Cluster 1: “xxx.aspx” Campaign This group deployed a password-protected ASPX webshell with basic HTML interface functionality, including authentication, command execution, and file upload features. The activity appeared manual and exploratory, indicating human operator involvement.
Cluster 2: “spinstall0.aspx” Campaign Observed in two waves on July 18-19, 2025, this group focused on deploying reconnaissance tools designed to extract and expose sensitive cryptographic information from compromised hosts. Unlike traditional command shells, these tools specifically targeted MachineKey data for persistent access across load-balanced environments.
Cluster 3: “no shell” Campaign The most advanced group employed fileless execution techniques, relying on in-memory .NET module execution and avoiding traditional file-based artifacts entirely. This method greatly complicates detection and forensic recovery efforts.
Global Impact and Exploitation Timeline
The vulnerability has been confirmed for active exploitation not only in the United States but also internationally. The Canadian Centre for Cyber Security confirmed exploitation occurring in Canada, highlighting the global scope of the threat. Microsoft first disclosed the vulnerability on July 19-20, 2025, after detecting active exploitation attempts targeting high-value organizations.
Targeted Organizations and Impact
Initial exploitation attempts targeted high-value organizations in technology consulting, manufacturing, critical infrastructure, and professional services tied to sensitive architecture and engineering organizations. The careful selection of targets suggests strategic objectives rather than opportunistic attacks.
The vulnerability poses particular risks because:
- SharePoint servers typically contain sensitive organizational data
- Vulnerable servers can be weaponized for internal watering hole attacks
- The unauthenticated nature makes exploitation relatively straightforward
- Multiple attack vectors allow for persistence and lateral movement
Organizations seeking comprehensive insights into SharePoint security frameworks and understanding attack methodologies can reference our detailed analysis on SharePoint Online Attack Matrix: Mapping Breaches, OAuth Abuse & Exfiltration, which provides in-depth coverage of breach mapping techniques, OAuth abuse patterns, and data exfiltration methods specific to SharePoint environments.
Microsoft's Response and Patches
| Product | Security Update Link |
|---|---|
| Microsoft SharePoint Server Subscription Edition | Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) |
| Microsoft SharePoint Server 2019 | Security Update for Microsoft SharePoint 2019 (KB5002754) |
| Microsoft SharePoint Server 2019 | Security Update for Microsoft SharePoint Server 2019 Language Pack (KB5002753) |
| Microsoft SharePoint Server 2016 | Security Update for Microsoft SharePoint Enterprise Server 2016 (KB5002760) |
| Microsoft SharePoint Server 2016 | Security Update for Microsoft SharePoint Enterprise Server 2016 Language Pack (KB5002759) |
The updates address newly disclosed vulnerabilities in CVE-2025-53770 related to CVE-2025-49704, and the security bypass vulnerability CVE-2025-53771 for CVE-2025-49706. Microsoft emphasizes that these vulnerabilities affect only on-premises SharePoint Servers and do not impact SharePoint Online (cloud-based) deployments.
Enhanced Security Measures
Organizations should also consider implementing additional security layers:
- Network segmentation to isolate SharePoint servers
- Regular security assessments and penetration testing
- Enhanced monitoring and logging capabilities
- Implementation of zero-trust network principles
Detection and Monitoring
Organizations should implement comprehensive monitoring for:
- Unusual PowerShell execution from SharePoint worker processes
- File creation in SharePoint LAYOUTS directories
- Suspicious network connections from SharePoint servers
- Anomalous .NET assembly loading patterns
- Process chains involving w3wp.exe → cmd.exe → powershell.exe
Microsoft Defender for Endpoint users can leverage vulnerability management capabilities by navigating to Vulnerability management > Software vulnerabilities, filtering by CVE, and looking for Evidence of Exploitation tags for affected assets.
Indicators of Compromise
File Indicators
- spinstall0.aspx (and variants: spinstall.aspx, spinstall1.aspx, spinstall2.aspx)
- xxx.aspx (custom password-protected webshell)
- debug_dev.js (file containing stolen MachineKey data)
Network Indicators
- 96.9.125.147 (no shell cluster)
- 107.191.58.76 (spinstall0.aspx first wave)
- 104.238.159.149 (spinstall0.aspx second wave)
- 131.226.2.6 (post-exploitation C2)
- 134.199.202.205 (exploitation IP)
File Hashes (SHA-256)
- 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 (spinstall0.aspx)
Security Validation and Testing
Organizations should implement proactive security validation to test their defenses against CVE-2025-53770 exploitation attempts. Security validation platforms like Picus Security offer specific threat simulations for SharePoint RCE vulnerabilities, including:
- Threat ID 95895: Microsoft Sharepoint Web Attack Campaign
- Threat ID 24572: Webshell Web Attack Campaign – 3
These simulations help organizations verify the effectiveness of their security controls and identify potential gaps in detection capabilities.
A critical zero-day vulnerability affecting on-premises Microsoft SharePoint Servers has been actively exploited by threat actors since July 2025. CVE-2025-53770, dubbed “ToolShell” by security researchers, enables unauthenticated remote code execution through a crafted POST request to SharePoint’s ToolPane endpoint. This vulnerability represents a significant security risk for organizations running on-premises SharePoint deployments, with multiple nation-state actors already incorporating the exploit into their attack campaigns.
Vulnerability Overview
Technical Details
CVE-2025-53770 builds on two prior vulnerabilities (CVE-2025-49706 + CVE-2025-49704) that were previously patched on July 8th, 2025. The vulnerability affects Microsoft SharePoint Server 2016, 2019, and Subscription Edition, allowing attackers to bypass authentication mechanisms through a sophisticated multi-stage attack chain.
The exploit works by sending a specially crafted HTTP POST request to the endpoint:
/_layouts/15/ToolPane.aspx?DisplayMode=Edit
The attack includes a forged Referer header pointing to /layouts/15/signout.aspx, which tricks SharePoint into skipping authentication and form digest validation. This fundamental flaw in SharePoint’s trusted internal workflow validation allows attackers to gain unauthorized access without providing any credentials.
CVSS Score and Classification
CVE-2025-53770 has been assigned a CVSS score of 9.8 (Critical), reflecting its severe impact potential. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing the urgent need for remediation across all affected organizations.
Attack Chain Methodology
The ToolShell exploit operates through three distinct phases:
Phase 1: Authentication Bypass Attackers exploit a logic flaw in SharePoint’s Referer header validation by sending a POST request with a forged Referer header, causing the server to treat the request as legitimate and process it under an unauthenticated context.
Phase 2: Web Shell Deployment Once inside the system, attackers deploy malicious ASPX files to the SharePoint layouts directory. These files, typically named spinstall0.aspx, are designed to extract cryptographic secrets including ValidationKey, DecryptionKey, and signing algorithms used by ASP.NET to validate __VIEWSTATE payloads.
Phase 3: Remote Code Execution With stolen cryptographic keys, attackers craft signed, malicious __VIEWSTATE tokens using tools like ysoserial.net. These payloads embed system commands and are sent to SharePoint pages via GET requests, leading to full remote code execution under the application pool identity (NT AUTHORITY\IUSR).
Active Exploitation in the Wild
Threat Actor Attribution
Microsoft has observed multiple Chinese nation-state actors exploiting these vulnerabilities, including Linen Typhoon, Violet Typhoon, and Storm-2603. Each group brings distinct tactics and objectives to their exploitation campaigns:
Linen Typhoon: Operating since 2012, this group focuses on intellectual property theft, particularly targeting government, defense, and strategic planning organizations.
Violet Typhoon: Active since 2015, specializes in espionage against former government personnel, NGOs, think tanks, and media organizations across the United States, Europe, and East Asia.
Storm-2603: A China-based threat actor with medium confidence attribution, previously associated with Warlock and Lockbit ransomware deployments.
Attack Clusters and Methodologies
SentinelOne researchers identified three distinct attack clusters, each demonstrating unique tradecraft and objectives:
Cluster 1: “xxx.aspx” Campaign This group deployed a password-protected ASPX webshell with basic HTML interface functionality, including authentication, command execution, and file upload features. The activity appeared manual and exploratory, indicating human operator involvement.
Cluster 2: “spinstall0.aspx” Campaign Observed in two waves on July 18-19, 2025, this group focused on deploying reconnaissance tools designed to extract and expose sensitive cryptographic information from compromised hosts. Unlike traditional command shells, these tools specifically targeted MachineKey data for persistent access across load-balanced environments.
Cluster 3: “no shell” Campaign The most advanced group employed fileless execution techniques, relying on in-memory .NET module execution and avoiding traditional file-based artifacts entirely. This method greatly complicates detection and forensic recovery efforts.
Global Impact and Exploitation Timeline
The vulnerability has been confirmed for active exploitation not only in the United States but also internationally. The Canadian Centre for Cyber Security confirmed exploitation occurring in Canada, highlighting the global scope of the threat. Microsoft first disclosed the vulnerability on July 19-20, 2025, after detecting active exploitation attempts targeting high-value organizations.
Targeted Organizations and Impact
Initial exploitation attempts targeted high-value organizations in technology consulting, manufacturing, critical infrastructure, and professional services tied to sensitive architecture and engineering organizations. The careful selection of targets suggests strategic objectives rather than opportunistic attacks.
The vulnerability poses particular risks because:
- SharePoint servers typically contain sensitive organizational data
- Vulnerable servers can be weaponized for internal watering hole attacks
- The unauthenticated nature makes exploitation relatively straightforward
- Multiple attack vectors allow for persistence and lateral movement
Organizations seeking comprehensive insights into SharePoint security frameworks and understanding attack methodologies can reference our detailed analysis on SharePoint Online Attack Matrix: Mapping Breaches, OAuth Abuse & Exfiltration, which provides in-depth coverage of breach mapping techniques, OAuth abuse patterns, and data exfiltration methods specific to SharePoint environments.
Microsoft's Response and Patches
| Product | Security Update Link |
|---|---|
| Microsoft SharePoint Server Subscription Edition | Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) |
| Microsoft SharePoint Server 2019 | Security Update for Microsoft SharePoint 2019 (KB5002754) |
| Microsoft SharePoint Server 2019 | Security Update for Microsoft SharePoint Server 2019 Language Pack (KB5002753) |
| Microsoft SharePoint Server 2016 | Security Update for Microsoft SharePoint Enterprise Server 2016 (KB5002760) |
| Microsoft SharePoint Server 2016 | Security Update for Microsoft SharePoint Enterprise Server 2016 Language Pack (KB5002759) |
The updates address newly disclosed vulnerabilities in CVE-2025-53770 related to CVE-2025-49704, and the security bypass vulnerability CVE-2025-53771 for CVE-2025-49706. Microsoft emphasizes that these vulnerabilities affect only on-premises SharePoint Servers and do not impact SharePoint Online (cloud-based) deployments.
Enhanced Security Measures
Organizations should also consider implementing additional security layers:
- Network segmentation to isolate SharePoint servers
- Regular security assessments and penetration testing
- Enhanced monitoring and logging capabilities
- Implementation of zero-trust network principles
Detection and Monitoring
Organizations should implement comprehensive monitoring for:
- Unusual PowerShell execution from SharePoint worker processes
- File creation in SharePoint LAYOUTS directories
- Suspicious network connections from SharePoint servers
- Anomalous .NET assembly loading patterns
- Process chains involving w3wp.exe → cmd.exe → powershell.exe
Microsoft Defender for Endpoint users can leverage vulnerability management capabilities by navigating to Vulnerability management > Software vulnerabilities, filtering by CVE, and looking for Evidence of Exploitation tags for affected assets.
Indicators of Compromise
File Indicators
- spinstall0.aspx (and variants: spinstall.aspx, spinstall1.aspx, spinstall2.aspx)
- xxx.aspx (custom password-protected webshell)
- debug_dev.js (file containing stolen MachineKey data)
Network Indicators
- 96.9.125.147 (no shell cluster)
- 107.191.58.76 (spinstall0.aspx first wave)
- 104.238.159.149 (spinstall0.aspx second wave)
- 131.226.2.6 (post-exploitation C2)
- 134.199.202.205 (exploitation IP)
File Hashes (SHA-256)
- 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 (spinstall0.aspx)
Security Validation and Testing
Organizations should implement proactive security validation to test their defenses against CVE-2025-53770 exploitation attempts. Security validation platforms like Picus Security offer specific threat simulations for SharePoint RCE vulnerabilities, including:
- Threat ID 95895: Microsoft Sharepoint Web Attack Campaign
- Threat ID 24572: Webshell Web Attack Campaign – 3
These simulations help organizations verify the effectiveness of their security controls and identify potential gaps in detection capabilities.
Advanced Persistent Threat Considerations
The involvement of multiple nation-state actors indicates this vulnerability will likely remain a high-priority target. As awareness spreads within threat actor communities, organizations should expect further weaponization and sustained targeting of vulnerable SharePoint infrastructure.
Organizations should prepare for:
- Continued exploitation attempts by additional threat groups
- Evolution of attack techniques to bypass detection
- Integration of ToolShell exploits into broader APT campaigns
- Potential supply chain attacks targeting SharePoint-dependent services
Conclusion
CVE-2025-53770 indicates a critical security vulnerability that requires immediate organizational action. The combination of unauthenticated access, remote code execution capabilities, and active exploitation by sophisticated threat actors creates a dangerous situation for enterprise security teams.
Organizations must focus on urgent patching while deploying comprehensive detection and monitoring systems. The advanced techniques observed in these attacks, especially the fileless execution methods used by threat actors, underscore the need for modern endpoint detection and response solutions.
The SharePoint ToolShell vulnerability highlights that on-premises infrastructure demands constant vigilance and quick response capabilities. As threat actors continue to refine their exploitation techniques, organizations must uphold a strong security posture that includes timely patching, advanced monitoring, and thorough incident response plans.
Advanced Persistent Threat Considerations
The involvement of multiple nation-state actors indicates this vulnerability will likely remain a high-priority target. As awareness spreads within threat actor communities, organizations should expect further weaponization and sustained targeting of vulnerable SharePoint infrastructure.
Organizations should prepare for:
- Continued exploitation attempts by additional threat groups
- Evolution of attack techniques to bypass detection
- Integration of ToolShell exploits into broader APT campaigns
- Potential supply chain attacks targeting SharePoint-dependent services
Conclusion
CVE-2025-53770 indicates a critical security vulnerability that requires immediate organizational action. The combination of unauthenticated access, remote code execution capabilities, and active exploitation by sophisticated threat actors creates a dangerous situation for enterprise security teams.
Organizations must focus on urgent patching while deploying comprehensive detection and monitoring systems. The advanced techniques observed in these attacks, especially the fileless execution methods used by threat actors, underscore the need for modern endpoint detection and response solutions.
The SharePoint ToolShell vulnerability highlights that on-premises infrastructure demands constant vigilance and quick response capabilities. As threat actors continue to refine their exploitation techniques, organizations must uphold a strong security posture that includes timely patching, advanced monitoring, and thorough incident response plans.
See also:
Dubai